CVE-2025-10943

Vulnerability

Overview

The file wx.php in the MikeCen WeChat-Face-Recognition project up to commit 6e3f72bf8547d80b59e330f1137e4aa505f492c1 contains a reflected cross-site scripting (XSS) flaw in the valid function [1]. The echostr is a parameter commonly used in WeChat server configuration validation, and the application fails to sanitize or encode its value before reflecting it back to the user's browser. The product does not use versioning, so specific affected releases are not defined [1].

Attack

Vector

The attack can be launched remotely without authentication. An attacker crafts a malicious URL containing a JavaScript payload in the echostr parameter and tricks a victim into clicking the link. The server then reflects the payload in the HTTP response, executing it in the context of the victim's session with the application [1].

Impact

Successful exploitation allows an attacker can execute arbitrary JavaScript in the victim's browser, potentially leading to session hijacking, defacement, or redirection to malicious sites. The CVSS v3 base score is 3.5 (Low), reflecting the need for user interaction and the limited scope of impact [1].

Mitigation

The vendor was contacted but did not respond, and no official patch has been released. Users should manually sanitize the echostr parameter in wx.php or implement a Web Application Firewall (WAF) rule to block malicious input. As the project appears unmaintained, migrating to an alternative solution is recommended [1].